Best practices for ensuring a secure browsing environment

In this Help Net Security interview, Devin Ertel, CISO at Menlo Security, discusses how innovations like AI and closer collaboration between browser vendors and security providers will shape the future of browser security.

What are the primary challenges businesses face in ensuring comprehensive browser security?

The two biggest challenges businesses are patch management and configuring browser settings.

One of the primary hurdles to ensuring browser security is the constant need to keep browsers updated with the latest security patches. New vulnerabilities are discovered constantly, and failing to patch them leaves organizations exposed to attacks. This can be a logistical nightmare for IT teams, especially in large organizations with diverse user bases and devices. Coordinating updates across different operating systems, browser versions, and user locations requires robust patch management processes and often involves user education and enforcement.

Beyond patching, configuring browser settings for optimal security is equally complex. Modern browsers offer various security settings, from cookie management and privacy controls to plugin permissions and content filtering. Finding the correct configuration for each organization and use case requires consideration and often involves striking a compromise between security and user productivity.

Overly restrictive settings can hinder workflows and frustrate users, while lax settings can leave the organization vulnerable to attacks. Another complication is considering how to keep organizations safe from employees’ personal activities – since remote and hybrid work environments are the new norm.

What best practices would you recommend for enterprises managing browser settings and policies to optimize security?

One key piece of advice for managing browser settings and policies to optimize security, is to make sure to conduct a thorough risk assessment to understand the threats your users might face. This assessment should consider the types of data your organization handles, your systems’ sensitivity, and your employees’ online behaviors.

Organizations should strive to provide a clean and secure browsing environment when users access corporate assets. This can involve implementing measures to prevent browser tampering and ensuring that only authorized users can access sensitive information. Also, it is critically important to ensure proper authentication mechanisms and access controls are in place.

How can organizations balance browser security with the demand for end-user flexibility and productivity?

Balancing security with user flexibility and productivity is an ongoing challenge. A practical approach is implementing separate browser profiles for work and personal use. This allows employees to maintain their browsing habits without compromising the security of corporate resources.

Organizations can enforce stricter security policies for work profiles, such as limiting access to certain websites or web applications, blocking potentially harmful downloads, and disabling unnecessary plugins or extensions. This approach provides a secure environment for work-related browsing while allowing users greater freedom in their personal browsing activities.

However, managing multiple browser profiles and keeping them consistently updated can introduce complexities and costs. Secure enterprise browsing offers an alternative for organizations looking to avoid the overhead and potential risks of switching browsers or managing profiles.

These solutions analyze local browser configurations and automatically manage the browser attack surface, providing protection without sacrificing user experience. By leveraging technologies such as isolation and cloud-based security enforcement, these solutions can neutralize threats before they reach the endpoint.

What role does AI play in enhancing browser security, especially in identifying and neutralizing phishing sites or malicious downloads?

Traditional security measures, such as website categorization, can react slowly to emerging threats. AI-powered solutions offer real-time website analysis, enabling proactive identification and neutralization of phishing sites and malicious downloads.

These intelligent systems can analyze website content, URLs, and other factors to assess the risk level in real-time. This allows immediate action, such as blocking access to malicious sites or warning users about potentially dangerous downloads, reducing the risk of successful attacks.

What innovations or tools do you foresee shaping the future of browser security?

The future of browser security will likely be shaped by increased collaboration and integration between browser vendors and security tool providers. As big players like Chrome and Edge prioritize security, we expect to see tighter integration with security tools, enabling sharing of threat intelligence and coordinated responses to emerging threats. This collaboration could lead to the development of more comprehensive security solutions that provide protection across all major browsers.